While IoT and smart devices are invaluable in this sector, their low security needs urgent attention and management.

In the challenging new reality of this pandemic, smart healthcare and IoT technology are bringing some reprieve to frontline medical workers. Internet-connected monitoring tools now make remote healthcare a reality, maximizing the efficiency of care and freeing up scarce hospital space for critical care.

In Australia, for example, health-tech companies have developed smartphone-based acute respiratory disease diagnostic tests that allow doctors to ascertain whether their patients are exhibiting COVID-19 symptoms. In Singapore, robots have been deployed at one general hospital to efficiently disinfect wards.  

The Hong Kong government is using electronic tracker wristbands to alert authorities when individuals flout compulsory home quarantine orders. In Hangzhou, China, robots are being used to deliver food and drinks to people under quarantine.

Unsurprisingly, the far-reaching use cases are expected to accelerate the adoption of IoT technologies, even beyond the pandemic.

How safe is the IoT?

Unfortunately, IoT devices are by now already renowned for their weak security as the need to optimize functionality and minimize cost is often prioritized. As we connect to an increasing number of IoT devices, collecting and storing sensitive personal data such as health records, it is essential for users to be cognizant of the expanded threat landscape created by the connected nature of such devices (particularly with the advent of 5G, where connectivity is set to accelerate further). At present, many devices are notoriously under-secured and present a significant security vulnerability. 

Unit 42, Palo Alto Networks’ threat intelligence unit, recently analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the USA and made startling discoveries. The report revealed that a staggering 98% of all IoT traffic is unencrypted. This exposes personal and confidential data on the network, giving attackers the ability to track unencrypted network traffic, then collect and exploit the data for profit on the dark web. 

In the healthcare sector, medical imaging systems such as X-rays, computed tomography, magnetic resonance imaging and ultrasound scanners all represent a critical part of the clinical workflow, but tend to have the most security vulnerabilities.

According to the report, 83% of medical imaging devices were running on unsupported operating systems, which opens the door for new attacks like cryptojacking and enables hackers the opportunity to use older attack techniques that IT teams may have long forgotten. This leaves hospital organizations vulnerable to attacks that can disrupt care or expose sensitive medical information.  

Even beyond healthcare organizations, healthcare-related IoT devices continue to pose threats. A recent global IoT Study found that in Singapore, IoT devices connected to corporate networks were on the rise, with connected medical wearables (56%) being one of the top personal, non-business related devices.

As it stands, IoT is creating a potential minefield for the future. There will soon be billions of devices proliferating throughout networks across the world. Legacy IoT devices without security measures retrofitted could well become virtual landmines waiting to explode. 

Even for devices that are designed with security in mind, emerging technologies could compromise their in-built systems. The emergence of deepfake technology, for example, could potentially pose a threat to voice or biometric-controlled connected devices.

Worryingly, it does not take a significant amount of knowledge or special skills to create deepfakes, since the technology needed is already widely available online.

Network segmentation

Governments in the region are already stepping up on their efforts to address IoT security concerns in their countries. In Singapore, the Cyber Security Agency is launching a new security labelling scheme for connected devices in 2020—the first in the region to help consumers make informed purchasing choices about network-connected smart devices. 

While new measures such as this are a positive sign of things to come, it will likely take some time to roll out, adopt and enforce. As such, the key lesson for all organizations today, especially those in the healthcare sector, is the need to have an effective IoT security strategy in place that can identify and manage risk proactively. 

One such method is network segmentation, which entails dividing a computer network into smaller subnetworks. This can take some time to set up, but results in strong security benefits across the organisation. Employed within the context of a healthcare entity, mission-critical medical IoT devices would be deployed in isolation from generic, non-medical IoT devices and IT devices. Healthcare organizations would also employ accurate device identification methods with real-time analysis to fully understand the security risks associated with their IoT devices. 

Healthcare security protects lives

For IoT devices being utilized in any sector, security is of paramount importance. Thinking holistically about managing the entire lifecycle of IoT devices—from the moment any new devices are connected—all the way through to when these devices are retired, can help provide greater visibility on potential vulnerabilities.

Even more importantly, keeping the operating system software up-to-date, plays a key role in preventing potential breaches.  

Constantly retrofitting and updating devices to make sure they are secure may cost time and money, but this is better than potential security landmines hidden in the organization until someone inadvertently detonates them. Probably not a risk worth taking. 

When it comes to the healthcare sector, this time and cost investment does not just protect reputational damage. It protects lives.